Slew of OCR activity underscores agency’s focus on security and AI

Index

A. Putting Security Front and Center

B. Reinforcing Obligations for Responsible AI

C. Key Takeaways 

Putting Security Front and Center 

OCR’s recent actions underscore a renewed focus on security, which the agency attributes in part to a sharp rise in cyberattacks and ransomware in particular. Through its recent Security Rule Notice of Proposed Rulemaking, settlements emphasizing HIPAA security risk analysis and cyberattack readiness, and the launch of phase 3 of the HIPAA audit program, OCR is sending a clear signal that securing HIPAA-covered systems and data is a top priority. 

Security Rule NPRM

OCR’s proposed updates to the HIPAA Security Rule mark its first attempt at revising the Rule since 2013. Although the rulemaking may be delayed as a result of the administration change, the new administration is likely to update the rule to help better protect the U.S health care system from increasing cyberattacks. Key proposed changes, which were published in the Federal Register on January 6, 2025, and in the associated Fact Sheet, include: shifting to less flexible, more prescriptive requirements; specifying explicit time periods for a number of existing requirements; detailing the expectations for annual risk assessments and associated remediation; requiring encryption, multi-factor authentication, network segmentation, vulnerability scans, and penetration testing; formalizing incident response plans, contingency plans, and other policies; and conducting an annual audit of compliance with the Security Rule requirements.  Additional Hogan Lovells observations are forthcoming.

Enforcement Actions

OCR has announced a flurry of HIPAA settlement agreements and civil monetary penalties related to health data security. Between December 3, 2024 and January 15, 2025, the agency announced nine separate enforcement actions, many of which emphasized HIPAA security risk analysis and preparedness for cyberattacks. For example, settlement agreements announced with Elgon Information Systems, Virtual Private Network Solutions (“VPN Solutions”), and Northeast Surgical Group, P.C. (“NESG”), resulted from these companies falling victim to ransomware attacks, and involved allegations that the companies had not conducted a proper security risk analysis, thus leaving themselves vulnerable to cyberattacks. 

Audits 

Adding to OCR’s portfolio of security-focused activities, the agency has initiated 2024-2025 HIPAA Audits, which will assess 50 HIPAA-regulated entities’ compliance with selected provisions of the HIPAA Security Rule. This phase of the audit program aims to discover risks and vulnerabilities, particularly those related to hacking and ransomware, as well as best practices for improving the security of PHI. OCR will publish an industry report summarizing its findings after these audits are complete.  

Reinforcing Obligations for Responsible AI 

In addition to the agency’s security focus, OCR has shown commitment to promoting the responsible use of AI in health care. This is most evident in the agency’s 2024 final updates to regulations implementing Section 1557 of the Affordable Care Act, and the January 10, 2025, “Dear Colleague” letter, describing how covered entities can more safely use and introduce AI tools into their operations. The rules prohibit regulated entities – including health care providers that receive federal financial assistance or participate in certain HHS-administered programs, and certain health insurance issuers offering plans on government administered marketplaces – from discriminating based on protected characteristics when using care decision support tools, and requires such entities to take steps to identify and mitigate the risk of such discrimination. The general prohibition on discrimination already is in force and requirements to affirmatively identify and mitigate risk of discrimination are effective May 1, 2025. See our prior post here for further discussion of the 2024 rule updates. The Dear Colleague letter outlines practices recommended for regulated entities when developing or using AI-enabled care decision support tools (e.g., using AI registries, assessing inputs used to develop and train tools, implementing “human in the loop” processes, auditing tool performance, and implementing policies, training, and other governance processes). The letter also identifies factors OCR may consider when assessing compliance, including the size and resources of the organization, known information about discrimination risks at the time a tool is used, whether the tool is used as intended by the developer, and the processes established to evaluate potential tools. 

Key Takeaways

OCR is expected to continue utilizing its resources, including rulemaking authority, enforcement power, and policy measures to help ensure health data is safe and secure, and used responsibly. The current emphasis on securing data and responsible use of AI will likely continue into 2025, and health care organizations may consider steps to mitigate risk of OCR scrutiny, including: 

• Review and update as appropriate HIPAA risk analysis processes

• Review, test, and identify opportunities to strengthen incident detection and response capabilities

• Assess the security measures proposed in the Security Rule NPRM and submit comments by March 7, 2025 

• Evaluate applicability of Section 1557 of the ACA, and implementing compliance measures where applicable, especially if using AI-enabled care support tools

Authored by Marcy Wilder, Paul Otto, Donald DePass, Fleur Oké, Dan Ongaro, and Rose Grover.